• Chart: Dec. 2006 Security Communications Summary

Three critical and four important patches addressing multiple vulnerabilities were distributed on the Dec. 2006 "Patch Tuesday." The patches repair vulnerabilities in Windows, Internet Explorer (IE), Outlook Express, and Visual Studio 2005, and a critical patch for Excel was reissued. The patch for Visual Studio addresses a zero-day vulnerability, (that is, a vulnerability that has already been exploited when it's publicly revealed) for which Microsoft previously issued a security advisory. However, the patches do not address another zero-day vulnerability in Word that Microsoft has identified in a separate security advisory.

Critical Patches

Although none of the critical patches released on Dec. 2006 affects either Windows Vista or IE 7.0, users of older versions should install the cumulative patch for IE, which addresses a number of vulnerabilities in the browser.

The critical patch for Visual Studio addresses a remote code execution vulnerability that could allow an attacker to take complete control of an affected system. The patch resolves a problem in the way that the controls instantiated by the WMI Object Broker are validated. The WMI Object Broker is an ActiveX control in Visual Studio 2005 which is used internally by the WMI Wizard feature to instantiate other controls.

The last critical update addresses two remote code execution vulnerabilities in the Windows Media Format Runtime. Both could allow an attacker to take complete control of the system.

The patch fixes a buffer overrun in the Windows Media Format Runtime, which provides support for Advanced Systems Format (ASF) files. An attacker could exploit the vulnerability by constructing specially crafted Windows Media Format content that could allow remote code execution if a user visits a malicious Web site or opens a specially crafted ASF format file in an e-mail message. ASF is an audio and video file format that enables content to be streamed, or delivered as a continuous flow of data, over a network. It can contain audio, video, slide shows, and synchronized events, and it may have the file extension ASF, WMA, or WMV.

The patch also addresses a vulnerability stemming from how the Windows Media Format Runtime handles certain elements contained in Advanced Stream Redirector (ASX) files. An ASX file stores a list of Windows Media files to play during a multimedia presentation and is used frequently on streaming video servers where multiple ASF files are to be played in succession over a variety of streaming protocols, such as the real-time streaming protocol (RTSP) and Microsoft Media Server (MMS) streaming protocols, as well as HTTP. ASX files have MIME type video/x-ms-asf (as do ASF files).

Other Patch Tuesday Announcements

Microsoft has reissued the critical patch for MS06-059: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution. The reason: Excel 2002 users who have version 2.0 of the Windows Installer incorrectly received indication that the original version of security update installed successfully, but the actual binary file, Excel.exe, was not updated to the secure version. Excel 2002 users should verify that they have the updated version of Excel.exe—if the file version is still earlier than 10.0.6816.0, it is necessary to install the re-released patch for Excel 2002.

The monthly installment of the technology to remove malicious software from users systems was released on Patch Tuesday as well. This month's update removes Win32/Beenut.

Resources

Information about updates released in Dec. 2006 can be found at www.microsoft.com/technet/security/current.aspx.

Information about security advisories released in Dec. 2006 can be found at www.microsoft.com/technet/security/advisory/default.mspx.

The latest version of the Malicious Software Removal Tool can be executed from www.microsoft.com/security/malwareremove/default.mspx.